Keycloak UMA resource_set Endpoint: Access Control Bypass via PUT
CVE-2026-4628 Published on March 23, 2026

Keycloak: org.keycloak.authorization: keycloak: unauthorized resource modification due to improper access control
A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloaks User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. This issue enables unauthorized modification of protected resources, impacting data integrity.

NVD

Vulnerability Analysis

CVE-2026-4628 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
LOW
Availability Impact:
NONE

Timeline

Reported to Red Hat.

Made public.

Weakness Type

What is an Authorization Vulnerability?

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVE-2026-4628 has been classified to as an Authorization vulnerability or weakness.


Products Associated with CVE-2026-4628

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

Red Hat Build Keycloak
 
Red Hat Jboss Enterprise Application Platform
 
Red Hat Jbosseapxp
 
Red Hat Single Sign On
 

Affected Versions

Red Hat Build of Keycloak: Red Hat JBoss Enterprise Application Platform 8: Red Hat JBoss Enterprise Application Platform Expansion Pack: Red Hat Single Sign-On 7: